Page 1 of 5

[2.0.21] prevent reply notifications to unauthorized users

Posted: Mon Sep 06, 2004 1:44 pm
by Extensions Robot
MOD Name: prevent reply notifications to unauthorized users
Author: asinshesq
MOD Description: PHPBB does not check the current authorization of a user when it sends reply notification emails to all users listed in the topic watch table. This means for example that if a user is moved to a new group that does not have access to a given forum (or gets deactivated), the user will continue to receive email notifications of replies to topics he posted in that appear in that forum. Then, when he folows the link in the email, he is told no such topic or post exists (since he is no longer authorized
to be in that forum). This mod fixes that behavior by ensuring that only users who are authorized to read a given forum receive email notifications of replies in that forum.


MOD Version: 1.0.5a (Updated 06/11/06)

Download File: prevent_reply_notifications_to_unauthorized_users_1-0-5a.zip
mods overview page: View
File Size: 5229 Bytes

Support for this MOD needs to be asked within this topic. The phpBB Teams are not responsible or required to give anyone support for this MOD. By installing this MOD, the phpBB Support Team or phpBB MODifications Team may not be able to provide support.

This MOD has only been tested by the phpBB MOD Team with the phpBB version in the topic title. It may not work in any other versions of phpBB.

Posted: Tue Sep 07, 2004 12:16 am
by ycl6
MOD Validated/Released

Notes:
This MOD make sure emails are sent to the appropriate user based on the current status on the forum.

Posted: Tue Sep 07, 2004 12:28 am
by asinshesq
My first validated mod (I have 5 others in the que and it looks like those will be out soon too). Thanks for getting this thorugh so quickly, Mac (ycl6)!

By the way, is it cheating for me to vote in the poll :roll:

One more thing: if you have one of the forum notification hacks installed, you should add similar code in includes/functions_post.php where that hack figures out who to send the forum notification emails to.

Posted: Tue Sep 07, 2004 12:32 am
by markus_petrux
Little big MOD. Good catch, btw. ;)


.

Posted: Tue Sep 07, 2004 12:39 am
by asinshesq
markus_petrux wrote: Good catch, btw. ;)


.


Thanks, but this was not an insightful catch on my part...I had multiple users who had been moved from permission in one forum to permission in another complaining that they were receiving emaill notiifications and when they clicked the link in the notification there were 'no such posts'...didn't take a rocket scientist to realize what had gone wrong.

Posted: Tue Sep 07, 2004 2:24 am
by omega13a
I just got done adapting this mode for the Forum Notification mod by David Herrmann.

In functions_post.php find:

Code: Select all

			$sql = "SELECT u.user_id, u.user_email, u.user_lang, u.username, f.forum_name 
				FROM " . TOPICS_WATCH_TABLE . " tw, " . USERS_TABLE . " u, " . FORUMS_TABLE . " f 
				WHERE tw.topic_id = $topic_id 
					AND tw.user_id NOT IN (" . $userdata['user_id'] . ", " . ANONYMOUS . $user_id_sql . ") 
					AND tw.notify_status = " . TOPIC_WATCH_UN_NOTIFIED . " 
					AND f.forum_id = $forum_id 
					AND u.user_id = tw.user_id";
Replace that with:

Code: Select all

// start mod prevent_reply_notification_emails_from_being_emailed_to_unauthorized_users...replaced the original
// $sql definition with the one that appears below
			$sql = "SELECT DISTINCT u.user_id, u.user_email, u.user_lang, u.username, f.forum_name 
				FROM " . TOPICS_WATCH_TABLE . " tw, " . USERS_TABLE . " u, " . AUTH_ACCESS_TABLE . " aa, " . USER_GROUP_TABLE . " ug, " . FORUMS_TABLE . " f
				WHERE tw.topic_id = $topic_id 
					AND tw.user_id NOT IN (" . $userdata['user_id'] . ", " . ANONYMOUS . $user_id_sql . ") 
					AND tw.notify_status = " . TOPIC_WATCH_UN_NOTIFIED . " 
					AND u.user_id = tw.user_id
					AND f.forum_id = $forum_id
					AND u.user_active = 1
					AND
					(
						(
						ug.user_id = tw.user_id
						AND aa.group_id = ug.group_id
						AND aa.forum_id = f.forum_id
						AND aa.auth_read = 1
						)
						OR f.auth_read <= " . AUTH_REG . " 
						OR (u.user_level = " . MOD . " AND f.auth_read = " . AUTH_MOD . ")
						OR (u.user_level = " . ADMIN . " AND f.auth_read = " . AUTH_ADMIN . ")
					)";
// end mod prevent_reply_notification_emails_from_being_emailed_to_unauthorized_users
Then find:

Code: Select all

$sql = "SELECT u.user_id, u.user_email, u.user_lang, f.forum_name
				FROM " . USERS_TABLE . " u, " . FORUMS_WATCH_TABLE . " fw, " . FORUMS_TABLE . " f 
				WHERE fw.forum_id = $forum_id 
					AND fw.user_id NOT IN (" . $already_mailed . $userdata['user_id'] . ", " . ANONYMOUS . $user_id_sql . " ) 
					AND f.forum_id = $forum_id
					AND f.forum_notify = '1' 
					AND u.user_id = fw.user_id";
Replace that with:

Code: Select all

// start mod prevent_reply_notification_emails_from_being_emailed_to_unauthorized_users...replaced the original
// $sql definition with the one that appears below
			$sql = "SELECT DISTINCT u.user_id, u.user_email, u.user_lang, f.forum_name
				FROM " . FORUMS_WATCH_TABLE . " fw, " . USERS_TABLE . " u, " . AUTH_ACCESS_TABLE . " aa, " . USER_GROUP_TABLE . " ug, " . FORUMS_TABLE . " f
				WHERE fw.forum_id = $forum_id 
					AND fw.user_id NOT IN (" . $already_mailed . $userdata['user_id'] . ", " . ANONYMOUS . $user_id_sql . ") 
					AND f.forum_notify = '1' 
					AND u.user_id = fw.user_id
					AND f.forum_id = $forum_id
					AND u.user_active = 1
					AND
					(
						(
						ug.user_id = fw.user_id
						AND aa.group_id = ug.group_id
						AND aa.forum_id = f.forum_id
						AND aa.auth_read = 1
						)
						OR f.auth_read <= " . AUTH_REG . " 
						OR (u.user_level = " . MOD . " AND f.auth_read = " . AUTH_MOD . ")
						OR (u.user_level = " . ADMIN . " AND f.auth_read = " . AUTH_ADMIN . ")
					)";
// end mod prevent_reply_notification_emails_from_being_emailed_to_unauthorized_users

Posted: Sat Sep 11, 2004 2:18 pm
by asinshesq
Thanks, Omega13, but I think you may have missed one, since I think the David Hermann mod has two different notifications - one for new topics in a watched forum and the other for replies in a watched forum where the user hasn't himself posted in that topic.

If I have time over the weekend I'll try to post an integrated mod that shows everything you need to do to make this work with Hermann's forum notifcation mod.

Posted: Sat Sep 11, 2004 2:34 pm
by asinshesq
OK, here's the full mod if you are already using David Hermann's forum notification mod (which I highly recommend):

[edit: I deleted the mod code here since I now include it in the latest version of the mod that you can download from the first post of this thread]

Posted: Tue Oct 19, 2004 7:07 pm
by Winky
Ty Alan for the great modification to the original mod ;)

For my opinion, it confirms u as a Master on "know how" & "support". lol great medals but no cash :\



P.s. E.M. is great once understood ... really ty 4 suggestion


ciao

Take care

Andres

Posted: Tue Oct 19, 2004 10:03 pm
by asinshesq
My friend Andres (a/k/a Winky) pointed out an error in the alternate version of this mod that I posted for people who have David Hermann's forum notification already installed, so I reposted that code earlier in this thread.

Posted: Sat Oct 30, 2004 4:11 pm
by asinshesq
By the way, some people may want to tweak this mod to provide that anyone who is an admin always has a right to get notification from ANY forum even if he is not a member of a group that has access to the forum (since an ADMIN has acess to all forums regardless of group membership).

If you want this mod to work that way on your forum, do this:

FIND all lines in the mod that read like this:
OR (u.user_level = " . ADMIN . " AND f.auth_read = " . AUTH_ADMIN . ")

(note that in the normal mod that appears only once but in the version that I posted earlier in this thread for people with David Hermann's forum notification mod installed, the line appears three times)

now, change each that reads like that to instead read like this:
OR (u.user_level = " . ADMIN . ")

Please let me know if you think this is the better way for the mod to work for everyone...if so, I will submit another version for validation that works that way.

Posted: Thu Dec 02, 2004 1:06 pm
by ycl6
MOD Updated to version 1.0.3
See first post for Download Link

Posted: Thu Dec 02, 2004 2:43 pm
by asinshesq
The new version changes things so that anyone who is an admin always has a right to get notification from ANY forum even if he is not a member of a group that has access to the forum (since an ADMIN has acess to all forums regardless of group membership); if you've already made the chagne described in my last post before this one you are already up to date.

I've also included an alternative mod for people that use David Hermann's forum notification mod.

Posted: Thu Dec 02, 2004 6:39 pm
by ymmotrojam
hmm... could this mod possibly be modified to also stop sending replies to a person if they haven't looked a thread in a certain amount of time?

Posted: Thu Dec 02, 2004 7:12 pm
by asinshesq
ymmotrojam wrote: hmm... could this mod possibly be modified to also stop sending replies to a person if they haven't looked a thread in a certain amount of time?


Why would want to do that? Reply notification in phpbb is already set up so that a user only gets an email for a topic once and then subsequent emails are not sent to the user until he has gone and looked at the thread (at which point a subsequent reply would trigger another email and again stop until the user actually goes to view the topic), so there is no risk of a user getting besieged with multiple emails for a topic he never looks at.

As for your question, yes, you could modify this, but that probably invloves substantial tinkering similar to that involved in the keep unread mod...not very pretty.